Content - b9d41974920669578203b65b3e49d8a99d62c7e4 - 4dca8ab/scapolite/V-73607/SV-88271.md

SV-88271.md
---
scapolite:
    class: rule
    version: '0.51'
id: SV-88271
id_namespace: mil.disa.Windows-Server-2016-STIG
title: The DoD Interoperability Root CA cross-certificates must be installed in the
    Untrusted Certificates Store on unclassified systems.
rule: <see below>
description: <see below>
applicability:
  - system: org.scapolite.xccdf.applicability
    weight: 10.0
    selected: false
    role: ''
    severity: medium
implementations:
  - relative_id: F-87313r2
    description: <see below>
checks:
  - relative_id: C-80185r2
    description: <see below>
  - relative_id: '01'
    title: OVAL-based check
    description: <see below>
    automations:
      - system: http://oval.mitre.org/XMLSchema/oval-definitions-5
        idref: oval:mil.disa.stig.windows:def:1102
        href: U_MS_Windows_Server_2016_V1R7_STIG_SCAP_1-2_Benchmark-oval.xml
crossrefs:
  - system: http://iase.disa.mil/cci
    idref: CCI-000185
    relation: ''
  - system: http://iase.disa.mil/cci
    idref: CCI-002470
    relation: ''
history:
  - version: r2
    action: created
    description: WN16-PK-000020
    internal_comment: ''
---


## /rule

The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.

## /description

[**VulnDiscussion**]{.separator type='STIG'}

To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.

Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182

[**Documentable**]{.separator type='STIG'}

false

## /implementations/0/description

Install the DoD Interoperability Root CA cross-certificates on unclassified systems.

Issued To - Issued By - Thumbprint
DoD Root CA 2 - DoD Interoperability Root CA 1 - 22BBE981F0694D246CC1472ED2B021DC8540A22F

DoD Root CA 3 - DoD Interoperability Root CA 2 - FFAD03329B9E527A43EEC66A56F9CBB5393E6E13

DoD Root CA 3 - DoD Interoperability Root CA 2 - FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4

Administrators should run the Federal Bridge Certification Authority (FBCA) Cross-Certificate Removal Tool once as an administrator and once as the current user.

The FBCA Cross-Certificate Remover Tool and User Guide are available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx.

## /checks/0/description

This is applicable to unclassified systems. It is NA for others.

Open "PowerShell" as an administrator.

Execute the following command:

Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter

If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is finding.

If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding.

Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US
Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F
NotAfter: 9/6/2019

Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
Thumbprint: FFAD03329B9E527A43EEC66A56F9CBB5393E6E13
NotAfter: 9/23/2018

Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4
NotAfter: 2/17/2019

Alternately, use the Certificates MMC snap-in:

Run "MMC".

Select "File", "Add/Remove Snap-in".

Select "Certificates" and click "Add".

Select "Computer account" and click "Next".

Select "Local computer: (the computer this console is running on)" and click "Finish".

Click "OK".

Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates".

For each certificate with "DoD Root CA&#8230;" under "Issued To" and "DoD Interoperability Root CA&#8230;" under "Issued By":

Right-click on the certificate and select "Open".

Select the "Details" Tab.

Scroll to the bottom and select "Thumbprint".

If the certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding.

If an expired certificate ("Valid to" date) is not listed in the results, this is not a finding.

Issued To: DoD Root CA 2
Issued By: DoD Interoperability Root CA 1
Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F
Valid to: Friday, September 6, 2019

Issued To: DoD Root CA 3
Issued By: DoD Interoperability Root CA 2
Thumbprint: FFAD03329B9E527A43EEC66A56F9CBB5393E6E13
Valid to: Sunday, September 23, 2018

Issued To: DoD Root CA 3
Issued By: DoD Interoperability Root CA 2
Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4
Valid to: Sunday, February 17, 2019

## /checks/1/description

IASE supplies an OVAL check.